RedEnergy Stealer-as-a-Ransomware Employed in Attacks in the Wild

Cyber Security Threat Summary:
Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware has the capabilities to steal information from various Internet browsers, but can also support ransomware activities. In this recent campaign, threat actors are masquerading as fake web browser updates to lure victims into installing the malware.

“The sample Stealer-as-a-Ransomware variant analyzed in this case employs a deceptive FAKEUPDATES campaign to lure in its targets, tricking them into promptly updating their browsers. Once inside the system, this malicious variant stealthily extracts sensitive information and proceeds to encrypt the compromised files.” reads the analysis published by Zscaler. The threat actors are using “reputable LinkedIn pages” including the Philippines Industrial Machinery Manufacturing Company and multiple organizations in Brazil to target victims. In this multi-stage attack, victims are initially targeted when they visit the company’s website through their LinkedIn profile. The users are redirected to a rogue website that instructs them into installing a seemingly legitimate browser update. The downloaded file is an executable file known as RedEnergy Stealer.

Security Officer Comments:
The RedEnergy sample used in this campaign is written in .NET. It has sophisticated features which allow it to evade detection and analysis tools. The malware communicates with it’s command and control servers through HTTPS.

To maintain persistence, the malware stores files in Window’s startup directories. The researchers also noticed suspicious activity involving File Transfer Protocol (FTP), which was likely used for data exfiltration. In the last stage of the attack, the stealer uses the ransomware modules to encrypt the user’s data. It appends the “.FACKOFF!” extension to encrypted files and deletes backups.

Manufacturing environments are ideal targets for ransomware actors. Ransomware attacks against operational technology and industrial control systems can lead to severe production impacts for victim organizations, and they are more likely to pay a ransom to become operational again. While we have seen many ransomware operators move away from the actual encryption of files to focus more on data theft and public leaking, it is likely we will continue to see ransomware encryption techniques used against critical manufacturing victims. The production delays may have larger incentives for victims to pay then any stolen data from OT environments.

MITRE ATT&CK:

  • T1036 - Masquerading
  • T1185 - Browser Session Hijacking
  • T1070.006 - Timestomp
  • T1560 - Archive Collected Data
  • T1027 - Obfuscated Files or Information
  • T1562.001 - Disable or Modify Tools
  • T1486 - Data Encrypted for Impact
Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Link(s):
https://securityaffairs.com/148193/malware/redenergy-stealer-as-a-ransomware.html
https://www.zscaler.com/blogs/